Industry. Cyber Security. Information Sharing at the Technical Level. Guidelines

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Industry. Cyber Security. Information Sharing at the Technical Level. Guidelines"

Transcription

1 NATO Communications and Information Agency (NCI Agency) - Industry Cyber Security Information Sharing at the Technical Level Guidelines Effective date: 28 March 2014 Revision No: Rev 1

2 Change History Revision Number Date Change Original October 2013 Rev 1 March 2014 Added Para 8 (9)

3 1. Introduction NATO Legal Framework: Definitions Purpose of the Programme Programme description Eligibility Procedures Information Sharing General provisions Termination... 6

4 1. Introduction NATO and industry working with NATO continue to face increasing risks that Information exchanged or stored on their networks and systems can be accessed, affected or infected through malicious cyber acts thereby causing damage to the Alliance and its Members. NATO and industry need to be able to prevent and counter such threats and to analyse and share data in order to understand the nature, extent and possible sources of such incidents and to react to threats. The NATO Communications and Information Agency (NCI Agency) is responsible for identifying and promoting the development of essential capabilities that meet NATO s and its Member Nations needs in ensuring cyber safety and security. NATO capabilities to identify, prevent, detect and respond to external threats to NATO CIS infrastructure are primarily performed by the NCI Agency NATO Computer Incident Response Capability Technical Centre (NCIRC TC). With these Guidelines, the NCI Agency implements a voluntary bilateral Cyber Information Sharing Programme which will allow industry working with NATO and NATO to share cyber security Information in order to mutually enhance situational awareness and the protection of their networks and systems. The Guidelines are applicable to Partners as defined herein and the NATO CI Agency, together referred to as Participants of the Information Sharing Programme ( Programme ). The objectives of these Guidelines are to establish: (1) the basis for participation in this Programme, (2) the confidentiality and security of the Information shared by the Partners, and (3) a set of guidelines for Partners on how to share Information. These Guidelines set out NCI Agency s Programme with respect to Information sharing on cyber security, focussing on the following areas: Purpose of the Programme; Eligibility; Procedures; Information sharing. 2. NATO Legal Framework: a) North Atlantic Treaty, signed on 4 April 1949; b) The Management of Non-Classified Information, C-M(2002)60 c) Council Decision on the Establishment of the NATO Communications and Information Organisation (C-M(2012)0049-AS1), dated 13 June NATO is operating within the framework of a number of agreements concluded between the Member States of the Alliance. These agreements are the legal bases for all actions to be 1

5 undertaken by the Organisation in order to fulfil its goal and purposes, based on activities as specified in the basic agreements/arrangements, and further developed through the decision making process in NATO and the implied powers of the Organisation in such respect. 3. Definitions (1) Cyber: relating to, or involving computers or computer networks, including software and data. (2) Cyber security: body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. (3) Information: any communications or representation of knowledge such as facts, data or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual forms. (4) Information system: a discrete set of Information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of Information. (5) NATO Information means Information provided by the NCI Agency under the voluntary Programme, including but not limited to cyber threat Information and Information assurance practices. (6) Participants: means Partners and NATO CI Agency when acting together under the Information Sharing Programme. (7) Partner: industry stakeholders and any other NATO entity willing to participate. (8) Partner Information: means Information provided by a Partner under the voluntary Programme, including but not limited to cyber threat Information and Information assurance practices. (9) Programme: set up to establish the voluntary bilateral Information sharing to allow Partners and NATO to share cyber security Information in order to enhance the protection of their networks and systems. (10) Threat: any circumstance or event which may potentially have an adverse impact on organisational operations, organisation assets, individuals, other organisations, or larger entities through unauthorised access, destruction, disclosure, modification of Information and/or denial of service. 4. Purpose of the Programme Information exchanged between the Partners and NCI Agency will help the Participants to better understand threat patterns and attack trends, thereby improving the application of preventive measures and reducing the scope for future attacks. The aim is to increase awareness of the extent and severity of cyber threats to NATO and Partners and ultimately to enhance and supplement capabilities to safeguard Information. The Programme aims at bilateral Information sharing on cyber threat Information and Information security best practices, cyber threat indicators and mitigation measures. The main benefit of participation in the Programme is access to threat assessment, prevention, and mitigation Information. Partners are encouraged to share reports of intrusion events and to 2

6 participate in damage assessments with the NCI Agency. Partners are further encouraged to report any cyber security incident that may be of interest to NATO. NCI Agency may share cyber threat Information and Information assurance best practices to Partners and may analyse the Information reported by the Partners regarding any cyber incident, to glean Information regarding cyber threats, vulnerabilities and the development of effective response measures. NCI Agency may also analyse reports to accumulate Information regarding cyber threats and vulnerabilities, and develop effective response measures which it may share with Partners. 5. Programme description The NCI Agency public portal will provide information on the principles of the Information Sharing Programme and the points of contact within the NCI Agency. Potential Partners can apply but acceptance will be at NCI Agency s discretion. NCI Agency may also invite potential Partners to apply. 6. Eligibility Potential Partners are eligible to apply for participation in the Programme if the following conditions are met: (1) Industry must be from a NATO member nation. (2) Requests for participation will be reviewed by the NCI Agency NCIRC TC on a case-by-case basis. Potential partners will need to show that they are in a position to contribute a balanced share of information. (3) Participation in the Programme is subject to the conclusion of the standardized bilateral Industry Partnership Agreement ( I-PA ) between a Partner and NCI Agency. The Industry Partnership Agreement provides the legal and security requirements for Programme participation and will include provisions on the confidentiality of the Information provided by the Participants. (4) Partners agree to comply with the requirements for managing non-classified Information in accordance with the document referenced at 2b) herein. (5) This agreement is not considered an alternative to, conflict with or amend existing arrangements (e.g. on security cooperation). 7. Procedures Information will only be shared subject to the following prerequisites: (1) Conclusion of the Industry Partnership Agreement including any agreed additional terms and conditions implementing the voluntary Information sharing activities between the NCI Agency and the Partner. 3

7 (2) The NCI Agency NCIRC Programme Manager for the Information Sharing Programme will be indicated on the NCI Agency portal. Points of contact authorised to exchange Information relevant to the Programme will be further identified in the Industry Partnership Agreement. (3) Partners will provide their primary POC for participation in the Programme and any other representatives authorised to communicate with the NCI Agency NCIRC TC under this Programme. Details will be indicated in the Industry Partnership Agreement. 8. Information Sharing The following principles apply to the sharing of Information under the Programme: (1) Confidentiality general rule The originator of the Information to be shared under the Programme decides on the level of confidentiality of such Information and on the appropriate method of disclosure using the traffic light protocols at Annex A. (2) Non-classified Information The Information exchange will be limited to non-classified Information. The source of the Information retains ownership. Depending on the sensitivity of the Information, the owner is permitted to limit the use of the Information and determine how it is communicated. Information will be disclosed either: (1) by delivery of items electronically (in encrypted format if required by the sensitive nature of the information); (2) by oral and/or visual presentation. Disclosure of Information may be indicated through the use of Traffic Light Protocol (TLP) on Information sharing as laid down in the Guidelines. The TLP is based on the concept of the originator labelling information with one of four colours to indicate what further dissemination, if any, can be undertaken by the recipient. (3) Classified Information If, under exceptional circumstances, there is the need to exchange classified Information, it will not be communicated under the Industry Partnership Agreement. Arrangements with NATO member Nations for the exchange of classified Information are in place and may be used if the industry Partner has the appropriate security clearance to handle such Information. Points of contact can be made available by the NCI Agency NCIRC TC as and when required. (4) Initial incident reporting Partners may choose to report cyber incidents to NCI Agency if they determine that the incident may be relevant to Information assurance activities of NCI Agency. NCI Agency may initiate an exchange with Partners by requesting Information or by sending a report. Participants are encouraged to provide timely, actionable Information. (5) NATO and Partner Information a. A foundational element of this bilateral Programme is the recognition that the Information shared between the Participants may include extremely sensitive non- 4

8 public Information, which must be protected against unauthorized uses and disclosures in order to preserve the integrity of the Programme. For example, cyber threat Information shared by NCI Agency must be protected against compromise by the cyber threat, which may already have a presence on the Partner s system; and thus the Partner must utilise security measures and limited sharing within the company, to ensure that the cyber threat Information retains its operational value-- for the benefit of all of the Programme Participants. b. Similarly, the Partners typically treat Information regarding potential cyber intrusion incidents on their networks as extremely sensitive proprietary, commercial, or operational Information and tightly control that Information within the company, let alone sharing outside the company. The Partners share this type of Information with the NCI Agency only on the condition that the NCI Agency safeguards that Information against any unauthorized use or release (both within and outside the NCI Agency), which could cause substantial competitive harm to the Partner that reported that Information. c. In addition, during any follow-on forensics or assessment activities, the NCI Agency and Partners may share additional types of sensitive Information, which may include Information regarding the types of Information that may have been compromised during the reported incident--potentially including the most sensitive types of nonclassified Information. d. NCI Agency and the Partners acknowledges that Information shared under this Programme may include extremely sensitive proprietary, commercial, or operational Information that is not customarily shared outside and that the unauthorised use or disclosure of such Information could cause substantial harm to the NATO or the Partner that reported that Information. NCI Agency and the Partners will take all reasonable steps to protect against such unauthorised use or release of Information received or derived from Information received. NCI Agency and the Partners will restrict their internal use and disclosure of Information to only internal staff and support contractors that are bound by appropriate confidentiality obligations and restrictions relating to the handling of sensitive Information and who have a need to know. (6) Generic Information Without disclosing Partner or NATO specific Information, Participants may also provide generic non-sensitive Information they develop concerning the nature, scope, prevention and mitigation of cyber-attacks to other Participants. (7) Industry Partnership Agreement In recognition of the protections to be given to the shared Information, NCI Agency and each Partner must enter into a standardized Industry Partnership Agreement (I-PA) which will describe the procedures, the Information sharing principles and the confidentiality measures to protect the exchanged Information. (8) Voluntary participation 5

9 Participation in the Programme is voluntary and does not obligate the Partners or NCI Agency to share Information, to utilize Information provided, or to implement any changes to their Information systems. (9) Non attribution The recipient shall not use or further disclose discloser s information in a manner which attributes it to the discloser, unless permitted by the discloser, either expressly or implicitly. 9. General provisions (1) Participants will conduct their activities under this Programme in accordance with applicable laws and regulations, including restrictions on the interception, monitoring, access, use, and disclosure of electronic communications or data. Participants bear responsibility for their own actions under this Programme. (2) A Partner s voluntary participation in this Programme will not create any competitive advantage or preferential treatment in NATO source selection activities. Participation does not in any way present an endorsement of the Partner, its Information systems or products and services. (3) Participants exercise due care in the collection, storage and the subsequent access of any resulting Information collated for the purposes of the Programme. (4) Information may be retained for digital forensics purposes. (5) Neither NCI Agency nor the Partners will issue media statements or make public announcements relating to their engagement in this Information sharing Programme. This includes the public use of the name (including abbreviations), emblem, logo, or official seal of any other party as a result of participating in the Programme. (6) This is a voluntary Programme and Participants are free to decide whether to implement changes to their Information systems or otherwise utilise best practices which they become aware of through this Programme. Any action is taken at the Participant s own risk and expense and other Participants will not be liable for damages caused by the implementation or the nonimplementation. (7) Nothing in this Programme is intended to abrogate NATO s or the Partner s rights or obligations regarding the handling, safeguarding, sharing, or reporting of Information (whether classified or not), or regarding any physical, personnel, or other security requirements, as required by law, regulation, policy, or a valid legal contractual obligation. 10. Termination Partners and the NCI Agency may unilaterally limit or discontinue participation in the Programme at any time. Shared Information cannot be reclaimed. However, termination shall not relieve the Partners or NCI Agency of obligations to protect against the unauthorised use or disclosure of Information exchanged under this Programme. 6

10 Annex A Traffic Light Protocol (TLP) Matrix The Traffic Light Protocol (TLP) is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colours to indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipient(s). 1 The originator of information to be handled according to TLP should label the information with the correct TLP color in order to indicate how widely that information may be disseminated, by including 'TLP: [Color]' in unambiguous text in the header and footer of the document and initialing the markings. Colour When should it be used? How may it be shared? RED Sources may use TLP: RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP: RED information with any parties outside of the specific exchange, meeting, or conversation in which it is originally disclosed. AMBER Sources may use TLP: AMBER when information requires support to be effectively acted upon, but carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP: AMBER information with members of their own organization who need to know, and only as widely as necessary to act on that information. GREEN Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. WHITE Sources may use TLP: WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. TLP: WHITE information may be distributed without restriction, subject to copyright controls. 1 Based on the version presented under 7

Industry Partnership Agreement (I-PA) Between the. NATO Communications and Information Agency (NCI Agency) And. [name of Industry Partner]

Industry Partnership Agreement (I-PA) Between the. NATO Communications and Information Agency (NCI Agency) And. [name of Industry Partner] Industry Partnership Agreement (I-PA) Between the NATO Communications and Information Agency (NCI Agency) And [name of Industry Partner] On Cyber Security Information Sharing Effective date: 8 April 2014

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION This Agreement governs the provision of Protected Health Information ("PHI") (as defined in 45 C.F.R.

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement and is made between BEST Life and Health Insurance Company ( BEST Life ) and ( Business Associate ). RECITALS WHEREAS, the U.S.

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 1.0 Date: November 2012 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 CORE REQUIREMENTS...

More information

Terms and Conditions for Visma Solutions ISV Partner Programs and usage of API of Netvisor, Severa, Maventa and Navita solutions

Terms and Conditions for Visma Solutions ISV Partner Programs and usage of API of Netvisor, Severa, Maventa and Navita solutions Terms and Conditions for Visma Solutions ISV Partner Programs and usage of API of Netvisor, Severa, Maventa and Navita solutions Please read carefully these terms and conditions before you join the programs

More information

DATA SECURITY AGREEMENT. Addendum # to Contract #

DATA SECURITY AGREEMENT. Addendum # to Contract # DATA SECURITY AGREEMENT Addendum # to Contract # This Data Security Agreement (Agreement) is incorporated in and attached to that certain Agreement titled/numbered and dated (Contract) by and between the

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

Information Security Policy

Information Security Policy You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version

More information

Attachment 5 HIPAA BUSINESS ASSOCIATE AGREEMENT

Attachment 5 HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT Preamble This Business Associate Agreement ( Agreement ) is Attachment to the Contract for Payment Eligibility Assessment Whereas, pursuant to the terms of the Contract,

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM

HIPAA BUSINESS ASSOCIATE ADDENDUM HIPAA BUSINESS ASSOCIATE ADDENDUM This Addendum, dated as of, 2007 ( Addendum ), supplements and is made a part of the Services Agreement (as defined below) by and between ( Covered Entity ) and FUJIFILM

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA

ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA ON THE AMENDMENT OF THE ORDER NO. 1V-1013 ON THE APPROVAL OF THE RULES ON THE ENSURANCE OF SECURITY AND INTEGRITY

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Attachment 1 DARS Tracking Number 2016-O0001 Class Deviation Safeguarding Covered Defense Information and Cyber Incident Reporting

Attachment 1 DARS Tracking Number 2016-O0001 Class Deviation Safeguarding Covered Defense Information and Cyber Incident Reporting 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls. As prescribed in 204.7304(a), use the following provision: COMPLIANCE WITH SAFEGUARDING COVERED DEFENSE INFORMATION CONTROLS

More information

No. 33 February 19, 2013. The President

No. 33 February 19, 2013. The President Vol. 78 Tuesday, No. 33 February 19, 2013 Part III The President Executive Order 13636 Improving Critical Infrastructure Cybersecurity VerDate Mar2010 17:57 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00001

More information

Business Associate and Data Use Agreement

Business Associate and Data Use Agreement Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

Information Security Policy

Information Security Policy Information Security Policy Reference No: Version: 5 Ratified by: CG007 Date ratified: 26 July 2010 Name of originator/author: Name of responsible committee/individual: Date approved by relevant Committee:

More information

DRAFT BUSINESS ASSOCIATES AGREEMENT

DRAFT BUSINESS ASSOCIATES AGREEMENT DRAFT BUSINESS ASSOCIATES AGREEMENT THIS AGREEMENT is made this day of, 20, by and among, a Corporation organized under the laws of the State of (hereinafter known as "Covered Entity") and organized under

More information

ESKISP6054.01 Conduct security testing, under supervision

ESKISP6054.01 Conduct security testing, under supervision Overview This standard covers the competencies required to conduct security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ("Agreement") is made and is effective as of the date of electronic signature("effective Date") between Name of Organization ("Covered

More information

DEPARTMENT OF DEFENSE BILLING CODE 5001-06. Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities

DEPARTMENT OF DEFENSE BILLING CODE 5001-06. Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities This document is scheduled to be published in the Federal Register on 10/02/2015 and available online at http://federalregister.gov/a/2015-24296, and on FDsys.gov DEPARTMENT OF DEFENSE BILLING CODE 5001-06

More information

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

More information

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing IBM Global Technology Services Statement of Work for IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing The information in this Statement of Work may not be disclosed

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

More information

You are authorised to view and download one copy to a local hard drive or disk, print and make copies of such printouts, provided that:

You are authorised to view and download one copy to a local hard drive or disk, print and make copies of such printouts, provided that: Terms of Use The Standard Bank of South Africa Limited ( Standard Bank ) maintains this demonstration trading platform (the "Demo Trading Platform") and the virtual services/products ("Virtual Services")

More information

Quartz Legal Terms and Conditions

Quartz Legal Terms and Conditions Quartz Legal Terms and Conditions 1. USE OF THIS WEBSITE: This website is owned and operated by Domaine Pinnacle Inc. (collectively hereafter "Site Owner"). Your use of this website is subject to the following

More information

I. INTRODUCTION. 1 For the purposes of this document the term cyber threat/s has been retained from the National Institute of

I. INTRODUCTION. 1 For the purposes of this document the term cyber threat/s has been retained from the National Institute of I. INTRODUCTION The automobile industry is currently undergoing an unprecedented wave of innovation, as automakers are pioneering groundbreaking technologies that are making cars and trucks safer than

More information

Louisiana State University System

Louisiana State University System PM-36: Attachment 4 Business Associate Contract Addendum On this day of, 20, the undersigned, [Name of Covered Entity] ("Covered Entity") and [Name of Business Associate] ("Business Associate") have entered

More information

DOD Takes Data-Centric Approach To Contractor Cybersecurity

DOD Takes Data-Centric Approach To Contractor Cybersecurity Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DOD Takes Data-Centric Approach To Contractor Cybersecurity

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

UGANDA REVENUE AUTHORITY TERMS AND CONDITIONS FOR WEB PORTAL USE

UGANDA REVENUE AUTHORITY TERMS AND CONDITIONS FOR WEB PORTAL USE 1. DISCLAIMER NOTICE UGANDA REVENUE AUTHORITY TERMS AND CONDITIONS FOR WEB PORTAL USE The information provided by UGANDA REVENUE AUTHORITY (URA) on the web portal relating to products and services (or

More information

Legislative Language

Legislative Language Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT Please complete the following and return signed via Fax: 919-785-1205 via Mail: Aesthetic & Reconstructive Plastic Surgery, PLLC 2304 Wesvill Court Suite 360 Raleigh, NC 27607

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH Information Security Policies and Procedures Development Framework for Government Agencies First Edition - 1432 AH 6 Contents Chapter 1 Information Security Policies and Procedures Development Framework

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

Outsourcing and third party access

Outsourcing and third party access Outsourcing and third party access This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

Exhibit 2. Business Associate Addendum

Exhibit 2. Business Associate Addendum Exhibit 2 Business Associate Addendum This Business Associate Addendum ( Addendum ) governs the use and disclosure of Protected Health Information by EOHHS when functioning as a Business Associate in performing

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,

More information

TOOLBOX. ABA Financial Privacy

TOOLBOX. ABA Financial Privacy ABA Financial Privacy TOOLBOX This tool will help ensure that privacy remains a core value in all corners of your institution. The success of your privacy program depends upon your board s and your management

More information

AGREEMENT AND TERMS OF USE

AGREEMENT AND TERMS OF USE AGREEMENT AND TERMS OF USE The website located at www.100womeninhedgefunds.org and the services of 100 Women in Hedge Funds ( 100WHF ) available thereon (collectively, the Site ), together with the networking

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

Service Schedule for Business Email Lite powered by Microsoft Office 365

Service Schedule for Business Email Lite powered by Microsoft Office 365 Service Schedule for Business Email Lite powered by Microsoft Office 365 1. SERVICE DESCRIPTION Service Overview 1.1 The Service is a hosted messaging service that delivers the capabilities of Microsoft

More information

Notes on Network Security - Introduction

Notes on Network Security - Introduction Notes on Network Security - Introduction Security comes in all shapes and sizes, ranging from problems with software on a computer, to the integrity of messages and emails being sent on the Internet. Network

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

HIPAA Business Associate Agreement For Collaborative Services

HIPAA Business Associate Agreement For Collaborative Services EXECUTION DRAFT HIPAA Business Associate Agreement For Collaborative Services This Business Associate Agreement ( Agreement ) is by and between the Camden Coalition of Healthcare Providers, Inc. (the Business

More information

Introduction. The steps involved in using this tool

Introduction. The steps involved in using this tool Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at

More information

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate; BUSINESS ASSOCIATE AGREEMENT (Agreement #) THIS DOCUMENT CONSTITUTES AN AGREEMENT BETWEEN: AND (Contractor name and address), hereinafter referred to as Business Associate; The Department of Behavioral

More information

NSA/IAD NSCAP CIRA Accreditation Instruction Manual

NSA/IAD NSCAP CIRA Accreditation Instruction Manual Table of Contents 1 Introduction...5 1.1 Fees and Charges... 5 1.2 Application Submittals... 6 2 How to Apply Qualifications...7 3 CIRA Services The Accreditation Process...7 3.1 Overview... 7 3.2 Application

More information

General Conditions for Professional Services

General Conditions for Professional Services General Conditions for Professional Services 1. LEGAL STATUS The Contractor shall be considered as having the legal status of an independent contractor vis-à-vis UNDP. The Contractor's personnel and sub-contractors

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

Quorum Privacy Policy

Quorum Privacy Policy Quorum Privacy Policy Quorum Analytics Inc. ( Quorum") has created this website (the "Website" or the "Site") to provide an online analytical tool that Subscribers can use to generate Derived Analytics

More information

All copyright, trade mark, design rights, patent and other intellectual property rights (registered or unregistered) in the Content belongs to us.

All copyright, trade mark, design rights, patent and other intellectual property rights (registered or unregistered) in the Content belongs to us. LEO Pharma Terms of use We/ Us/ Our You/Your Website Content LEO Laboratories Limited a company registered in the United kingdom under number 662129) known as LEO Pharma (LEO Pharma) and companies affiliated

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement This HIPAA Business Associate Agreement (the Agreement ) is executed by the parties on the dates shown beneath their respective signature lines, but is effective as of,

More information

Iowa Health Information Network (IHIN) Security Incident Response Plan

Iowa Health Information Network (IHIN) Security Incident Response Plan Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security

More information

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations &

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Solutions. Office: 866-452-5017, Fax: 615-379-2541, evantreese@covermymeds.com

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

TERMS AND CONDITIONS LIMASSOL 3on3

TERMS AND CONDITIONS LIMASSOL 3on3 TERMS OF WEBSITE USE TERMS AND CONDITIONS LIMASSOL 3on3 This terms of use (together with the documents referred to in it) tells you the terms of use on which you may make use of our website www.limassol3on3.com

More information

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS These Cybersecurity Testing and Certification Service Terms ( Service Terms ) shall govern the provision of cybersecurity testing and certification services

More information

EA-ISP-001 Information Security Policy

EA-ISP-001 Information Security Policy Technology & Information Services EA-ISP-001 Information Security Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 13/03/2015 Document Security Level: PUBLIC Document Version: 2.41 Document Ref:

More information

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5 Information Security Policy Type: Administrative Responsible Office: Office of Technology Services Initial Policy Approved: 09/30/2009 Current Revision Approved: 08/10/2015 Policy Statement and Purpose

More information

PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THIS SITE

PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THIS SITE Woodlane Dental Equipment LTD Unit 10, Global Business Park Wilkinson Road Cirencester GL7 1YZ T: 01454 314 302 W: www.woodlanedental.co.uk E: Info@WoodlaneDental.co.uk PLEASE READ THESE TERMS AND CONDITIONS

More information

Information Integrity & Data Management

Information Integrity & Data Management Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is

More information

Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION

Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for

More information

SAMPLE RETURN POLICY

SAMPLE RETURN POLICY DISCLAIMER The sample documents below are provided for general information purposes only. Your use of any of these sample documents is at your own risk, and you should not use any of these sample documents

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

Information Incident Management Policy

Information Incident Management Policy Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit

More information

NHS Procurement Dashboard: Overview

NHS Procurement Dashboard: Overview NHS Procurement Dashboard: Overview November 2013 You may re-use the text of this document (not including logos) free of charge in any format or medium, under the terms of the Open Government Licence.

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Contract (Agreement) is entered into by and between, as a Covered Entity as defined in relevant federal and state law, and HMS Agency, Inc., as their

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is effective as of (the Agreement Effective Date ) by and between the Administrators of the Tulane Educational Fund acting

More information

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter Pennsylvania State System of Higher Education California University of Pennsylvania UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter Version [1.0] 1/29/2013 Revision History

More information

Your use of this website and any dispute arising out of such use of the website is subject to the laws of Malaysia;

Your use of this website and any dispute arising out of such use of the website is subject to the laws of Malaysia; TERMS AND CONDITIONS OF USE Welcome to Grand Lexis Port Dickson website. If you continue to browse and use this website you are agreeing to comply with and be bound by the terms and conditions of use set

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 200 ( Effective Date ), and entered into by and between, whose address is ( Business Associate ) and THE

More information

GOVERNMENT OF THE REPUBLIC OF LITHUANIA

GOVERNMENT OF THE REPUBLIC OF LITHUANIA GOVERNMENT OF THE REPUBLIC OF LITHUANIA RESOLUTION NO 796 of 29 June 2011 ON THE APPROVAL OF THE PROGRAMME FOR THE DEVELOPMENT OF ELECTRONIC INFORMATION SECURITY (CYBER-SECURITY) FOR 20112019 Vilnius For

More information

MCC TERMS AND CONITIONS

MCC TERMS AND CONITIONS MCC TERMS AND CONITIONS Welcome to MNCred.org, which is owned by Minnesota Credentialing Collaborative, LLC ( we, us or MCC ) a joint effort of the Minnesota Council of Health Plans (MCHP), Minnesota Hospital

More information

ADP Ambassador /Referral Rewards Program. Terms and Conditions of Use

ADP Ambassador /Referral Rewards Program. Terms and Conditions of Use ADP Ambassador /Referral Rewards Program Terms and Conditions of Use These Terms and Conditions ("Terms") are an agreement between ADP, LLC ("ADP"), on behalf of its Major Accounts Services Division ("MAS"),

More information

005ASubmission to the Serious Data Breach Notification Consultation

005ASubmission to the Serious Data Breach Notification Consultation 005ASubmission to the Serious Data Breach Notification Consultation (Consultation closes 4 March 2016 please send electronic submissions to privacy.consultation@ag.gov.au) Your details Name/organisation

More information

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

More information

HIPAA Compliance And Participation in the National Oncologic Pet Registry Project

HIPAA Compliance And Participation in the National Oncologic Pet Registry Project HIPAA Compliance And Participation in the National Oncologic Pet Registry Project Your facility has indicated its willingness to participate in the National Oncologic PET Registry Project (NOPR) sponsored

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

GlaxoSmithKline Single Sign On Portal for ClearView and Campaign Tracker - Terms of Use

GlaxoSmithKline Single Sign On Portal for ClearView and Campaign Tracker - Terms of Use GlaxoSmithKline Single Sign On Portal for ClearView and Campaign Tracker - Terms of Use IMPORTANT! YOUR REGISTRATION AND USE OF THIS GlaxoSmithKline Single Sign On Portal for ClearView and Campaign Tracker

More information

Incident Response Plan for PCI-DSS Compliance

Incident Response Plan for PCI-DSS Compliance Incident Response Plan for PCI-DSS Compliance City of Monroe, Georgia Information Technology Division Finance Department I. Policy The City of Monroe Information Technology Administrator is responsible

More information

Privacy Policy and Terms of Use

Privacy Policy and Terms of Use Privacy Policy and Terms of Use Pencils of Promise, Inc. ( PoP, we, us or our ) shares your concern about the protection of your personal information online. This Privacy Policy and Terms of Use ( Policy

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

MEMORANDUM OF UNDERSTANDING

MEMORANDUM OF UNDERSTANDING MEMORANDUM OF UNDERSTANDING BETWEEN The Minister for Police AND Participants as listed in Clause A of the Schedule to this Memorandum FOR THE PROVISION OF A COORDINATED STATE CCTV NETWORK THAT ALLOWS DATA

More information

Department of Defense INSTRUCTION. Security of Unclassified DoD Information on Non-DoD Information Systems

Department of Defense INSTRUCTION. Security of Unclassified DoD Information on Non-DoD Information Systems Department of Defense INSTRUCTION NUMBER 8582.01 June 6, 2012 DoD CIO SUBJECT: Security of Unclassified DoD Information on Non-DoD Information Systems References: See Enclosure 1 1. PURPOSE. This Instruction:

More information

TERMS AND CONDITIONS OF USE OF KUWAIT FINANCE HOUSE BAHRAIN S WEBSITE & INTERNET BANKING SERVICES

TERMS AND CONDITIONS OF USE OF KUWAIT FINANCE HOUSE BAHRAIN S WEBSITE & INTERNET BANKING SERVICES TERMS AND CONDITIONS OF USE OF KUWAIT FINANCE HOUSE BAHRAIN S WEBSITE & INTERNET BANKING SERVICES Acknowledgement and acceptance of Terms Kuwait Finance House (Bahrain) B.S.C. (the Bank, our, us or we

More information

Website terms and conditions

Website terms and conditions Website terms and conditions Thank you for visiting our website. Before you go any further, it is important that you read and understand the conditions under which you will be using this site. Acceptance

More information